明日Dmp人群洞察

Security checks across malware telemetry and agentic risk

Overview

The skill appears to provide the advertised DMP audience-insight workflow, but it uses sensitive API credentials, dynamically finds and runs another local skill's Python script, and persists business task/result data in ways users should review carefully.

Install only if you trust the publisher and the companion auth/logger skills. Use narrowly scoped API credentials, rotate them if pasted into chat, check where result and history files are written, and avoid running this in a workspace where untrusted skills or files could masquerade as the auth helper.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (18)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本 try: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True,
Confidence: 90% confidence
Finding: result = subprocess.run( ["python3", str(auth_skill_path), "POST", endpoint, json.dumps(request_body)], capture_output=True, text=True, timeout=

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 调用鉴权技能的API脚本（正确的endpoint路径，不包含/api/open-api前缀） try: result = subprocess.run( [ "python3", str(auth_skill_path),
Confidence: 87% confidence
Finding: result = subprocess.run( [ "python3", str(auth_skill_path), "GET", "/audience/insight/result", js

Description-Behavior Mismatch

Medium

Confidence: 84% confidence
Finding: The skill's main purpose is analytics, yet the workflow mandates or strongly encourages installation and use of a task-recording component that stores task parameters and history locally. This introduces unnecessary data retention and expands exposure of potentially sensitive campaign metadata.

Context-Inappropriate Capability

High

Confidence: 93% confidence
Finding: Automatic installation of other skills via shell command exceeds the minimum behavior needed for audience insight and creates a supply-chain and arbitrary-command execution risk. Even if the package names are fixed, pulling and installing external components at runtime materially increases attack surface.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: Checking local credential files and skill-installation directories is a form of environment probing that is not central to the advertised analytics purpose. Such probing can disclose system layout, presence of other tools, and sensitive configuration state, which increases privacy and attack-surface concerns.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Persisting complete task parameters and history to local files is not required to perform the core insight analysis and creates avoidable data retention risk. Stored parameters may reveal business strategy, audience identifiers, and other sensitive operational details to other local processes or users.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill's stated purpose is audience-insight API access, but it gains an additional capability: locating and executing arbitrary local Python code from multiple directories. That expansion of authority is dangerous in this context because the discovered script inherits the user's privileges and can do far more than make an API call, turning a data-analysis skill into a local code-execution primitive if a malicious or tampered auth skill is present.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script performs discovery of another local authentication skill and its API module, which exceeds the stated audience-insight functionality and creates an unnecessary cross-skill trust boundary. Even without executing the target file, probing for auth-related components in the user's workspace can expose environment structure and enable later abuse or unintended coupling to sensitive credentials logic.

Context-Inappropriate Capability

Medium

Confidence: 98% confidence
Finding: The code enumerates local skill directories and reads files from other skills to identify an authentication module by content. This grants the skill visibility into unrelated local components and metadata, violating least privilege and creating a path for reconnaissance of installed skills and sensitive integration layout that is not justified by an audience-insight tool.

Description-Behavior Mismatch

Medium

Confidence: 79% confidence
Finding: The skill's stated purpose is audience insight retrieval, but on success it silently persists raw API response data and a derived Excel workbook to local disk. This creates an undisclosed data-at-rest side effect that may expose sensitive audience analytics, identifiers, or business data to other local users, backups, sync tools, or later compromise.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script enumerates multiple local skill and workspace directories and heuristically selects any script named minri_dmp_api.py whose contents mention specific keywords. This broad discovery behavior expands the attack surface and enables dependency confusion or local planting attacks, where an attacker places a crafted script in a searched directory to hijack execution.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script searches broadly through local skill and workspace directories and opens candidate files to inspect their contents, which exceeds what is necessary for querying task status. This creates an unsafe trust boundary: a malicious or unexpected local skill can be discovered and then executed as the auth backend, enabling execution of attacker-controlled code or unintended inspection of unrelated files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs users to provide API credentials and states they will be saved locally, but it does not clearly warn about the security implications of persistent secret storage such as theft from disk, backups, or other local users. This can lead to long-lived credential compromise.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The workflow says result retrieval will automatically generate local JSON and Excel files, but this side effect is not surfaced as a clear privacy/data-handling warning. Users may unknowingly cause sensitive insight data to be written to disk where it can persist and be accessed later.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation promotes automatic recording of task history, parameters, and storage paths without a clear privacy warning about user-activity logging. This can expose sensitive operational patterns and configuration details beyond the immediate task execution context.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script writes raw JSON API output and a generated Excel file to disk automatically, without warning, consent, or an option to suppress persistence. Because audience insight data can be commercially sensitive or privacy-sensitive, silent storage increases the risk of unintended disclosure through local access, backups, synchronization services, or forensic recovery.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill explicitly asks users to paste Access Key and Secret Key into chat and then save them locally. This is dangerous because chat channels, logs, transcripts, and local files are common leakage points for secrets, enabling unauthorized API access and downstream data compromise.

Ssd 3

Medium

Confidence: 90% confidence
Finding: Saving complete task parameters and operation history to a persistent local log can capture sensitive identifiers, audience definitions, and business context. Persistent logs broaden the blast radius of any local compromise and may violate least-retention principles.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal